Then there are other unreported vulns
As a penetration tester for a large company, it's my job to test all applications before they are certified on our networks. This includes internally developed, as well as COTS apps.
Probably more than 60% of the time, I find vulnerabilities for the vendor to fix. Around 10-20% of the time, it's a critical vulnerability (remote and easy to do). Each time, I noticed they NEVER publish the vulnerability. They just add the fix quietly into their next "update". No mention of what we find at all.
So why don't we say something out loud? Because most software vendors/companies have items in their commercial EULA's which amounts to a non-disclosure agreement. Getting on a bulletin board, twitter, etc. will put the company you work for--and your job--in jeopardy; so unfortunately this isn't an option.
So if your a network engineer, be aware of this factor and use it to budget better security equipment to mitigate this fact. Especially with external facing web applications.
Biting the hand that feeds IT
